STUSERTRACE: User trace for authorization checks

ST01 and STAUTHTRACE transactions can be used for short term in-depth authorization traces. The problem is that these traces are very detailed and generate a lot of data.

For some use cases, you need to know what authorizations are needed for a user for longer period of time. Example: you have some background users with too many authorizations and your are tasked to reduce this. Then you want to enable a long term trace that records which authorizations are used by this user ID. You are not interested in how many times and when, but just need a complete list over a very long time (for example 2 months). Another example is when you are tasked to S_TABU_NAM full * authorization with actual table names. How to find out which tables are actually needed?

This is the goal of the STUSERTRACE: long term recording of authorization checks called including detailed table level.

STUSERTRACE enabling settings

The activation is described in OSS note 2220030 – STUSERTRACE: User trace for authorization checks. The first step is to switch parameter to value F. There is an option to set to Y for full, but don’t do this. F is the value where filtering happens.

As explained in OSS note 2220030 there is a minor performance impact. To limit the impact, use filtering.

Now start transaction STUSERTRACE to set the filters:

Choose the Change Filter button to add filters:

In this case we add the standard SAP workflow user to trace.

STUSERTRACE results

After you let the trace run, you can use the STUSERTRACE transaction to see which authorization checks were executed for this user ID:

STUSERTRACE will also capture detailed table access down to actual table level:

This means this transaction STUSERTRACE can also be used help replace * values in S_TABU_NAM with the actual tables.

Reorganization of data

Reorganization of data to clean up can be done using menu function Goto/Reorganize:

Relevant OSS notes